GPM Personal - Corey Neskey - 1/25/20
The USB scenarios considered involve removing a security control that has been in place at Derp Corp since VirtualDerp was set up but enables personnel an easier method of file export.
The SuperCloud scenarios considered do not involve removal of security controls but affords a less convenient method of file export.
| Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded | Included | Excluded |
|---|---|---|---|---|---|---|---|---|---|
| eNPI & FERPA | Other | DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) | DERP AD Systems | privileged insiders (DERP & Vendors) | deliberately | Mechanical | confidentiality | ||
| TIS Secrets | herp-p-cupmgmt “CU Server” on ODMNet | DERP SMTP Systems | non-privileged insiders (DERP & Vendors) | accidentally | Process Failure | integrity | |||
| herp-p-cupins “CU Insights Server” on ODMNet | DERP Networking and FW Systems | malicious software | Natural | availability | |||||
| herp-p-cupdc01 “CU Data Collector Server” on ODMNet | DERP Vulnerability Scanner Systems | external attackers | |||||||
| herp-p-cupmon SDC “CU Monitoring Server” on ODMNet | DERP Vendor Access | ||||||||
| herp-p-cupsql “SQL Insight Database” on ODMNet | HERP Replicated DR Equivalent Systems | ||||||||
| herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443) | HERP Backup Systems | ||||||||
| HERP TIS jump stations for administration on ODMNet | HERP DFS Systems | ||||||||
| XAs and XDs on SDC 32 AofA, 12th Fl. (HERP Citrix VDI network) | HERP SEP Server | ||||||||
| XAs and XDs on 75 Third Ave. (HERP Citrix VDI network) | HERP LANDESK Server |
scopedy scope scope
Table of visual highlighting Plan B…
Although the number of risks is greater, Derp Corp’s ability to reduce the probability, impact, and uncertainty of the controls associated with the SuperCloud Scenario 2 result in the least estimated risk.
the use of SuperCloud does not necessitate the additional expense and complexity of ongoing purchasing and encrypting of USB storage drives.
“Plan B: Dedicated, trained staff, controlled SuperCloud access folders, folder access expiration, “hardened” workstations, and minimum access CoreDB and file share accounts.”
All information collected, journaling of activities, FAIR factors, and probabilistic risk model representing these changes are retained in a Box folder shared with the PIZZA CORP. Kitchen CIO.
The remainder of this report outlines the analysis in more depth for reference, validation, and welcome scrutiny.
Plan A Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $415,445 | $830,890 | $1,246,335 |
| Costs | $57,462 | $63,839 | $70,217 |
| Loss | $644,584 | $1,289,167 | $1,933,751 |
| Mitigation Costs | $0 | $0 | $0 |
| Prevented Loss | $0 | $0 | $0 |
| Net | -$286,600 | -$931,184 | -$1,575,767 |
Plan B Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $415,445 | $830,890 | $1,246,335 |
| Costs | $57,462 | $63,839 | $70,217 |
| Loss | $309,526 | $619,052 | $928,577 |
| Mitigation Costs | $6,230 | $6,230 | $6,230 |
| Prevented Loss | $335,058 | $670,115 | $1,005,173 |
| Net | $377,285 | $402,817 | -$576,824 |
Plan C Expected
| Year 1 | Year 2 | Year 3 | |
|---|---|---|---|
| Benefits | $415,445 | $830,890 | $1,246,335 |
| Costs | $57,462 | $63,839 | $70,217 |
| Loss | $197,321 | $394,642 | $591,963 |
| Mitigation Costs | $60,725 | $60,725 | $60,725 |
| Prevented Loss | $447,263 | $894,525 | $1,341,788 |
| Net | $547,200 | $797,141 | -$631,319 |
| Benefit UID | Benefit Event | Benefits Probability | Benefits Lower Bound | Benefits Most Likely | Benefits Upper Bound | Benefits Rationale | Benefits Recurring_Ben |
|---|---|---|---|---|---|---|---|
| benefit-1 | Virtual System Performance Monitoring - to anticipate and prevent outages | 0.99 | 63476.56 | 182291.7 | 1718750 | LB = .5 hrs of outages for 2k employees makign 75k+30%bens, ML = 1 hrs of outages 1.5k emps making 100k+30%bens, UB = 4 hrs outages 3k emps making 300k+30%bens, | TRUE |
| benefit-2 | Centralized Virtual System Control | 0.50 | 30.00 | 2000.0 | 200000 | Assumes Upper Bound is cost of one FTE. Not part of original use-case but may be used. | TRUE |
| Known Costs UID | Known Cost Event | Known Costs Lower Bound | Known Costs Most Likely | Known Costs Upper Bound | Known Costs Rationale | Known Costs Recurring Expense |
|---|---|---|---|---|---|---|
| cost-1 | CriticalUse direct purchase costs | 19790.47 | 19790.47 | 19790.47 | Actual Contract | FALSE |
| cost-2 | CriticalUse support and pro services | 0.00 | 0.00 | 0.00 | No Pro Services | FALSE |
| cost-3 | Internal setup and testing | 1500.00 | 24000.00 | 72000.00 | Wage-based - Sys Engineer x 2 - 1-12 week, ML 4 | FALSE |
| cost-4 | Internal initial security review | 1500.00 | 2800.00 | 5600.00 | Wage-based - Security Analyst x 1 | FALSE |
| cost-5 | Timeframe ongoing maintenance and SysAdmin | 1500.00 | 3000.00 | 24000.00 | Wage-based - Sys Engineer x 1 - 1 to 8 weeks ML 2 | TRUE |
| UID | Assets at risk | Containers/Points of attack | Threat communities | Threat Types | Effects | Scenario |
|---|---|---|---|---|---|---|
| Risk-1 | eNPI & FERPA | DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet). |
| Risk-2 | eNPI & FERPA | herp-p-cupmgmt “CU Server” on ODMNet | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupmgmt “CU Server” on ODMNet. |
| Risk-3 | eNPI & FERPA | herp-p-cupins “CU Insights Server” on ODMNet | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupins “CU Insights Server” on ODMNet. |
| Risk-4 | eNPI & FERPA | herp-p-cupdc01 “CU Data Collector Server” on ODMNet | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupdc01 “CU Data Collector Server” on ODMNet. |
| Risk-5 | eNPI & FERPA | herp-p-cupmon SDC “CU Monitoring Server” on ODMNet | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupmon SDC “CU Monitoring Server” on ODMNet. |
| Risk-6 | eNPI & FERPA | herp-p-cupsql “SQL Insight Database” on ODMNet | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupsql “SQL Insight Database” on ODMNet. |
| Risk-7 | eNPI & FERPA | herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443) | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443). |
| Risk-8 | eNPI & FERPA | HERP TIS jump stations for administration on ODMNet | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through HERP TIS jump stations for administration on ODMNet. |
| Risk-9 | eNPI & FERPA | XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network) | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network). |
| Risk-10 | eNPI & FERPA | XAs and XDs on 75 Third Ave. (HERP Citrix VDI network) | external attackers | deliberately | confidentiality | external attackers deliberately impact the confidentiality of eNPI & FERPA through XAs and XDs on 75 Third Ave. (HERP Citrix VDI network). |
| Risk-11 | eNPI & FERPA | DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet). |
| Risk-12 | eNPI & FERPA | herp-p-cupmgmt “CU Server” on ODMNet | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupmgmt “CU Server” on ODMNet. |
| Risk-13 | eNPI & FERPA | herp-p-cupins “CU Insights Server” on ODMNet | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupins “CU Insights Server” on ODMNet. |
| Risk-14 | eNPI & FERPA | herp-p-cupdc01 “CU Data Collector Server” on ODMNet | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupdc01 “CU Data Collector Server” on ODMNet. |
| Risk-15 | eNPI & FERPA | herp-p-cupmon SDC “CU Monitoring Server” on ODMNet | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupmon SDC “CU Monitoring Server” on ODMNet. |
| Risk-16 | eNPI & FERPA | herp-p-cupsql “SQL Insight Database” on ODMNet | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupsql “SQL Insight Database” on ODMNet. |
| Risk-17 | eNPI & FERPA | herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443) | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443). |
| Risk-18 | eNPI & FERPA | HERP TIS jump stations for administration on ODMNet | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through HERP TIS jump stations for administration on ODMNet. |
| Risk-19 | eNPI & FERPA | XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network) | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network). |
| Risk-20 | eNPI & FERPA | XAs and XDs on 75 Third Ave. (HERP Citrix VDI network) | external attackers | deliberately | Integrity | external attackers deliberately impact the Integrity of eNPI & FERPA through XAs and XDs on 75 Third Ave. (HERP Citrix VDI network). |
| Risk-21 | eNPI & FERPA | DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) | external attackers | deliberately | Availability | external attackers deliberately impact the Availability of eNPI & FERPA through DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet). |
| Risk-22 | eNPI & FERPA | herp-p-cupmgmt “CU Server” on ODMNet | external attackers | deliberately | Availability | external attackers deliberately impact the Availability of eNPI & FERPA through herp-p-cupmgmt “CU Server” on ODMNet. |
| Risk-23 | eNPI & FERPA | herp-p-cupins “CU Insights Server” on ODMNet | external attackers | deliberately | Availability | external attackers deliberately impact the Availability of eNPI & FERPA through herp-p-cupins “CU Insights Server” on ODMNet. |
| Risk-24 | eNPI & FERPA | herp-p-cupdc01 “CU Data Collector Server” on ODMNet | external attackers | deliberately | Availability | external attackers deliberately impact the Availability of eNPI & FERPA through herp-p-cupdc01 “CU Data Collector Server” on ODMNet. |
ECDF…
Density…
Violin…
Swarm…
Box…
Ridge